lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1M64aK-0006EV-UW@titan.mandriva.com>
Date: Mon, 18 May 2009 17:17:00 +0200
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2009:116 ] gnutls


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2009:116
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : gnutls
 Date    : May 18, 2009
 Affected: 2008.1, 2009.0, 2009.1, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in gnutls:
 
 lib/pk-libgcrypt.c in libgnutls in GnuTLS before 2.6.6 does not
 properly handle invalid DSA signatures, which allows remote attackers
 to cause a denial of service (application crash) and possibly have
 unspecified other impact via a malformed DSA key that triggers a (1)
 free of an uninitialized pointer or (2) double free (CVE-2009-1415).
 
 lib/gnutls_pk.c in libgnutls in GnuTLS 2.5.0 through 2.6.5 generates
 RSA keys stored in DSA structures, instead of the intended DSA keys,
 which might allow remote attackers to spoof signatures on certificates
 or have unspecified other impact by leveraging an invalid DSA key
 (CVE-2009-1416).
 
 gnutls-cli in GnuTLS before 2.6.6 does not verify the activation
 and expiration times of X.509 certificates, which allows remote
 attackers to successfully present a certificate that is (1) not yet
 valid or (2) no longer valid, related to lack of time checks in the
 _gnutls_x509_verify_certificate function in lib/x509/verify.c in
 libgnutls_x509, as used by (a) Exim, (b) OpenLDAP, and (c) libsoup
 (CVE-2009-1417).
 
 The updated packages have been patched to prevent this.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1415
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1416
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1417
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.1:
 6d7ecb7d91ba28868368b87e8053aea7  2008.1/i586/gnutls-2.3.0-2.5mdv2008.1.i586.rpm
 96b8911ca78bf3e5fc613c712ff981d8  2008.1/i586/libgnutls26-2.3.0-2.5mdv2008.1.i586.rpm
 d6a02014de6dc2a0c15a2760e137bb51  2008.1/i586/libgnutls-devel-2.3.0-2.5mdv2008.1.i586.rpm 
 3fb2fe697587a4207059124a71ff44a1  2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 b2a99ca654a7c67bfdc77c8c13d748d9  2008.1/x86_64/gnutls-2.3.0-2.5mdv2008.1.x86_64.rpm
 ecd43a69e956d43346c45450c7fc9051  2008.1/x86_64/lib64gnutls26-2.3.0-2.5mdv2008.1.x86_64.rpm
 4347df4cc5403f6a427d9cd1e52080ea  2008.1/x86_64/lib64gnutls-devel-2.3.0-2.5mdv2008.1.x86_64.rpm 
 3fb2fe697587a4207059124a71ff44a1  2008.1/SRPMS/gnutls-2.3.0-2.5mdv2008.1.src.rpm

 Mandriva Linux 2009.0:
 c28c925bd7f0269611ac9c6dd392df28  2009.0/i586/gnutls-2.4.1-2.4mdv2009.0.i586.rpm
 7a41677834cb818e4e8423fa2360e5e8  2009.0/i586/libgnutls26-2.4.1-2.4mdv2009.0.i586.rpm
 d47da33eac7b6477f2690c153d2e4408  2009.0/i586/libgnutls-devel-2.4.1-2.4mdv2009.0.i586.rpm 
 dc2307362de50d642550c68a952e69aa  2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 50eb92f492ac913e11223cf407df5cd4  2009.0/x86_64/gnutls-2.4.1-2.4mdv2009.0.x86_64.rpm
 e365c536596584def2d8b61ab4ad63a9  2009.0/x86_64/lib64gnutls26-2.4.1-2.4mdv2009.0.x86_64.rpm
 13d3880ff941cf06ea4fedeed9ed927b  2009.0/x86_64/lib64gnutls-devel-2.4.1-2.4mdv2009.0.x86_64.rpm 
 dc2307362de50d642550c68a952e69aa  2009.0/SRPMS/gnutls-2.4.1-2.4mdv2009.0.src.rpm

 Mandriva Linux 2009.1:
 bc07281e83debdbb5e652d0b84899c47  2009.1/i586/gnutls-2.6.4-1.2mdv2009.1.i586.rpm
 89a97dd8d4cd8b717eacffdcf6d1fe59  2009.1/i586/libgnutls26-2.6.4-1.2mdv2009.1.i586.rpm
 cbaed84e3b4d9787c4c230b6fa44b7cc  2009.1/i586/libgnutls-devel-2.6.4-1.2mdv2009.1.i586.rpm 
 96fc806f2ac7db65af86ca7c6513d0f4  2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 c785b4b48f78089add92553b67ecf7a5  2009.1/x86_64/gnutls-2.6.4-1.2mdv2009.1.x86_64.rpm
 5c68d534e8741114dfbb9ddd937badf7  2009.1/x86_64/lib64gnutls26-2.6.4-1.2mdv2009.1.x86_64.rpm
 d21fab6a3225a1333b757707bbfa7be9  2009.1/x86_64/lib64gnutls-devel-2.6.4-1.2mdv2009.1.x86_64.rpm 
 96fc806f2ac7db65af86ca7c6513d0f4  2009.1/SRPMS/gnutls-2.6.4-1.2mdv2009.1.src.rpm

 Corporate 4.0:
 72433f7e4e0952eabf5838e7de56f9cb  corporate/4.0/i586/gnutls-1.0.25-2.4.20060mlcs4.i586.rpm
 7a3ba08830a820772bb2ffdda5bd9304  corporate/4.0/i586/libgnutls11-1.0.25-2.4.20060mlcs4.i586.rpm
 cb04b2511750d20901be98da67a287c9  corporate/4.0/i586/libgnutls11-devel-1.0.25-2.4.20060mlcs4.i586.rpm 
 2c5ddb3d77debdb4eb619896d264ef36  corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 84d3e0ac9c3b992b4d7dadd3f4a83f4f  corporate/4.0/x86_64/gnutls-1.0.25-2.4.20060mlcs4.x86_64.rpm
 4e97802d216f69842e6a373aa5d83aeb  corporate/4.0/x86_64/lib64gnutls11-1.0.25-2.4.20060mlcs4.x86_64.rpm
 8af535b1023b577afbe122344fad21be  corporate/4.0/x86_64/lib64gnutls11-devel-1.0.25-2.4.20060mlcs4.x86_64.rpm 
 2c5ddb3d77debdb4eb619896d264ef36  corporate/4.0/SRPMS/gnutls-1.0.25-2.4.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKEU9PmqjQ0CJFipgRAqReAKD1n+ojNrGr4Ma04VzXwbqh6OzDYQCg0IfH
8SmPTI0PYNZR4Y+HFkaLlrU=
=g2Fs
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ